Re: Implicit rule PIX

> The equivilent explicit rule is just "access-list NAME permit ip any any"
> applied to the higher security level interface.
>
>>also a rule like
>>permit DMZ tcp any any, would give dmz also acces to inside
>
> That would depend on where it was applied, and it isn't quite that simple.
>
>>So i have block acces from DMZ to inside first and then allow DMZ acces
>>outside
>
> Not quite. Given the above rule applied to the DMZ interface, access
> still would only be permitted to those inside hosts which are covered
> by an "nat (inside) 0 access-list" or "static (inside,dmz)".

In my project, the complete network is a public ip /24 network devided into
a lot of small segments connected to individual vlans.
The pix has to control who can talk to who,
So everything is nat0
A solution could be no to create a translation-map to every network so no
traffic can flow as you point out.
But then the nat-0 rules function as a sort of firewall functions, perhaps
not so clean to do that.
At the moment i've created nat-0 rules exactly as one would expect, in every
network direction no change of ipadress.

>>I'm thinking of creating a network-object wich contains al my internal
>>(public IP) networks,
>>deny all acces to these networks,
>>then allow acces to outside from these networks,
>>apply this to all my interfaces
>>And put all my exeptions before these lines.
>
> You probably don't want to apply that to your outside interface.
>
>>Dont know how an interface will react if a network-object contains also
>>his
>>own interface, and disable acces to it.
>
> It won't care, except perhaps in PIX 7 with same-interface routing to
> VPNs.
> With the exception noted, traffic from a subnet inside an interface
> to the -same- subnet, never goes through the PIX and the PIX will reject
> it if you try to force it to. Traffic from the subnet to the PIX itself
> (e.g., ping the PIX) is not controlled by ACLs: it is controlled by
> 'icmp' and 'http' and 'ssh' and 'telnet' commands.

understand that
Well it is PIX7.
>
>>Or is it possible to make acceslist like:
>> allow trafic from interface-x to interface-y (based only on interfaces,
>> not
>>on IP)
>
> No, you can't do that.

Any other, better ideas how to cleanly manage such a network?

> --
> I was very young in those days, but I was also rather dim.
> -- Christopher Priest